Detect installed browser plugins and extensions
Detects if the browser has a built-in PDF viewer to identify plugin spoofing
Compares plugin list with MIME types for logical consistency
Detects if navigator.plugins has been hijacked or spoofed
Note: To prevent browser fingerprinting, modern browsers' plugins API can typically only detect a very limited number of built-in plugins like PDF Viewer.
Detects the status of legacy plugins deprecated by modern browsers
Plugins and extensions add powerful features to your browser, but each one can also leave traces that make your browser more identifiable. Understanding how they are detected — and how an unusual set raises your uniqueness — helps you balance convenience against privacy.
Extensions are small programs that customise your browser, adding features like ad blocking, password management, or translation. Plugins were an older technology, such as Flash and Java applets, that ran embedded content and have largely been retired for security reasons. Today almost everything runs as a modern extension built on web technologies, but both terms still appear in fingerprinting discussions because each can expose distinctive signals.
Legacy plugins used interfaces like NPAPI and could be enumerated directly, making the installed list a rich fingerprinting source. Browsers removed that capability years ago to close security holes, so the classic plugin list is now mostly empty or standardised. Extensions replaced plugins but are deliberately harder to enumerate — yet, as the next sections explain, their effects are still observable in indirect ways.
Even though browsers no longer expose a list of your extensions, the changes those extensions make to a page are visible. An ad blocker removes specific elements, a password manager injects form fields, a translator alters text, and many extensions load resources from predictable internal addresses. By watching for these effects, a website can infer which extensions you are running without ever asking the browser directly.
Detection relies on side effects. Scripts can probe for an extension's web-accessible resources, observe DOM changes it makes, measure timing differences it introduces, or detect content scripts it injects. Each confirmed extension adds identifying information. Because the techniques exploit the extension's own behavior rather than a privileged API, they are difficult to block without disabling the extension that causes them.
Extensions are chosen by personal preference, so an unusual combination can be more identifying than your hardware. A handful of niche extensions together may form a set that almost no one else shares, turning tools you installed for privacy or convenience into a strong, persistent fingerprint. Ironically, some anti-tracking extensions are rare enough that they raise your uniqueness rather than lowering it.
Install extensions only from official stores and trusted developers, since a malicious extension can read everything you do online. Review your list periodically and remove anything you no longer use, both for security and to shrink your fingerprint. For sensitive tasks, a clean profile or private window — which disables most extensions — reduces both your attack surface and your trackability.
A plugin check inspects what your browser exposes to a website: the entries in the navigator.plugins list, the MIME types your browser claims to handle, and behavioural clues that reveal popular extensions even when they are not directly listed. Modern browsers no longer expose a full extension list for privacy reasons, so detection relies on side effects — injected elements, modified page resources, or web-accessible files an extension ships. Running the check shows which of these signals your setup leaks and how much they add to your fingerprint.
Historically, websites read the navigator.plugins array to enumerate installed plugins like Flash or PDF viewers. Today the logic is reversed: to curb fingerprinting, modern browsers return a standardized, hardcoded list — usually a handful of built-in PDF-viewer entries that is nearly identical across Chrome, Edge, and Firefox — so the list itself now carries little entropy. The API still matters for detection, because headless and spoofed browsers often reproduce it imperfectly, and a plugin list that does not match the claimed User-Agent is an immediate bot signal.
Not directly. Modern browsers no longer hand over a list of your extensions. However, sites can often infer which ones you run by detecting the changes they make to a page or the resources they load, so your extensions are not as private as they may seem.
They can. Because extension choices are personal, an unusual set adds entropy to your fingerprint and may identify you more precisely than your hardware. Even privacy extensions can backfire if they are rare. Keeping a minimal, common set of trusted extensions is the safer balance.
By default most extensions are turned off in private or incognito windows unless you explicitly allow them. This reduces both security risk and fingerprinting during sensitive browsing, which is one reason private mode can feel more anonymous even though it does not stop fingerprinting on its own.
Favour well-known extensions from reputable developers with many users, recent updates, and minimal permissions. Widely used tools both tend to be better audited and, because many people run them, add less to your uniqueness than obscure ones. Remove anything you no longer actively use.
Run a plugin check. It reads your navigator.plugins list and supported MIME types and looks for the side effects that reveal common extensions, then shows what a website would detect. Because browsers have curtailed direct extension listing, the check focuses on the signals that still leak — and on whether your plugin data is consistent with the rest of your browser.
Largely no. Old-style plugins such as Flash and Java applets have been removed from modern browsers, replaced by built-in features and web standards. What remains is a small, mostly fixed navigator.plugins list (often just a PDF viewer) plus browser extensions, which are a separate system. The legacy plugin API still exists, though, and is now used more for fingerprinting and bot detection than for real functionality.